Privacy Policy

AI Chat Exporter – PDF, DOCX & Sheets

Last Updated: March 15, 2026

📋 DATA USAGE DISCLOSURE

This extension collects limited account and technical data — including email address, license key, device identifier (hashed fingerprint), IP address, and export usage count — for authentication, subscription management, and abuse prevention.

AI conversation content is NEVER collected, stored, or transmitted to any server. Conversations are processed entirely within your browser.

Conversation content collected? NO — processed locally only

Account email collected? YES — for registration & login

Device fingerprint collected? YES — hashed, for abuse prevention

IP address collected? YES — for abuse prevention (deleted after 30 days)

Data sold to third parties? NO

Data used for advertising? NO

OAuth tokens stored? YES — locally in browser only

Backend services used? YES — Supabase, PayPal, Resend

1. Overview

AI Chat Exporter is a browser extension that allows users to export conversations from AI chat platforms (ChatGPT, Claude, Gemini, Grok, DeepSeek) into document formats such as PDF, DOCX, XLSX, Google Docs, Notion, and Gmail.

We respect user privacy and are committed to protecting personal information. This policy explains clearly what data we collect, how we use it, where it is stored, and with whom it may be shared.

2. Data We Collect

The extension collects the following categories of data to operate its features:

2.1 Account & Identity Data

Email address – collected at registration and used for account management, login, and license delivery.
Password – hashed using bcrypt by Supabase before storage; never stored in plain text.
Google account email and Google user ID – fetched from Google's OAuth profile API when the user connects Google Docs or Gmail. Stored only in the user's local browser storage (Chrome local storage); not transmitted to our servers.

2.2 License & Subscription Data

License key – entered by the user to activate a paid plan; stored locally and in Supabase.
Subscription details – subscription plan (Monthly / Yearly), subscription ID (PayPal), subscription status (active / cancelled / expired), subscription start date, subscription end date; stored in Supabase.
Export usage count (exports_used) and timestamp of last export (last_export_at) – used to enforce free-tier export limits; stored in Supabase (for logged-in users) and locally in Chrome storage.

2.3 Device & Technical Identifiers

Anonymous installation UUID – a randomly generated unique ID (UUID v4) created on first install. This ID has no link to your identity. It is stored in Chrome local storage and sent to our backend to track usage quotas for anonymous users.
Device fingerprint (hashed) – a non-reversible hash derived from the following browser attributes: User-Agent string, browser language, platform, screen resolution, screen color depth, timezone offset, and CPU core count. The raw attributes are never stored; only the resulting hash is used for abuse prevention (detecting reinstalls across the same device). Sent to Supabase.
Browser name and operating system – detected from the User-Agent and sent to the license validation server when a user activates a license key. Used for device compatibility checks and abuse prevention.
User-Agent string – sent during installation recording and quota checks; used for abuse detection.
IP address – used for abuse prevention and security. The extension resolves your IP address using third-party IP detection APIs (see Section 5) and then sends it to Supabase. IP logs are automatically deleted after 30 days.

2.4 OAuth Tokens

Google OAuth access token / refresh token – obtained when the user explicitly grants permission for Google Docs or Gmail export. Stored in Chrome local storage. Used only to write exported content to your own Google account.
Notion OAuth access token – obtained when the user explicitly grants permission for Notion export. Stored in Chrome local storage. Used only to write exported content to your Notion workspace.

Important – Content Access Disclosure: The extension's content script is injected into supported AI chat websites (ChatGPT, Claude, Gemini, Grok, DeepSeek) and reads the webpage's DOM in order to locate and extract conversation text for export. This processing happens entirely within the user's browser. The conversation content is converted to the chosen export format (PDF, DOCX, etc.) locally and is NEVER transmitted to our servers or any third party.

3. How We Use Your Data

Collected data is used strictly for:

User authentication and account management
License activation and validation (matching license key to device fingerprint)
Enforcing export quotas (5 anonymous / 10 registered / unlimited paid)
Detecting and preventing abuse (reinstalling to bypass free quota, IP block evasion)
Delivering license keys, account confirmations, and support communications via email
Processing payments through PayPal
Enabling optional third-party exports (Google Docs, Gmail, Notion) when the user explicitly triggers them
Customer support

No user data is used for advertising, analytics, profiling, or any purpose unrelated to operating the extension.

4. Data Storage

User data is stored in the following locations:

Storage Location	Data Stored
Supabase (cloud database, encrypted at rest)	Email, hashed password (managed by Supabase Auth), device fingerprint hash, User-Agent, IP address (auto-deleted after 30 days), export count, last export timestamp, license key, subscription plan/ID/status/dates, install count
Chrome local storage	Authentication JWT token, anonymous client UUID, user ID, user email, user tier, export count (local copy), license key, license info (plan, expiry), Google OAuth token, Google user email and ID, Notion OAuth token, export preferences (font, format, colors)
Chrome sync storage	Export preferences may be synced across devices via Chrome's built-in sync feature

All communications between the extension and backend services use HTTPS/TLS encryption. Passwords are hashed by Supabase (bcrypt) and never accessible in plain text. IP address logs are automatically purged after 30 days.

5. Data Sharing & Third-Party Services

We do not sell or rent user data to any third party.

The following trusted third-party services may receive limited data strictly to operate the extension:

Service	Purpose	Data Received
Supabase	Authentication, database, edge functions (license validation, quota)	Email, hashed password, device fingerprint, User-Agent, IP address, export usage, license and subscription data
PayPal	Payment processing for license purchases	Email address and payment amount during checkout
Resend	Transactional email delivery	Email address and license key (for delivery emails)
Google APIs (googleapis.com)	Optional Google Docs / Gmail export – only when user explicitly chooses this option	Google OAuth token; exported content is written directly to the user's own Google account
Notion API (api.notion.com)	Optional Notion export – only when user explicitly chooses this option	Notion OAuth token; exported content written to user's Notion workspace
ipify.org / my-ip.io / ipapi.co	IP address detection for abuse prevention. The extension queries these public APIs to determine the user's IP address, which is then sent to our Supabase backend. These services see the user's IP address as part of the HTTP request.	IP address (as part of the HTTP request to their endpoint)

These providers only receive the minimum data required to perform their services and are bound by their own privacy policies. Data is never shared with advertisers or unrelated third parties.

We may disclose data if required by applicable law or to protect our legal rights.

6. Browser Permissions

The extension requests the following browser permissions, each used for a specific and limited purpose:

Permission	Why It Is Required
activeTab	Used to access the currently open AI chat page so the extension can read the conversation and generate an export. Only active when the user explicitly triggers an export.
storage	Used to store user preferences (font, format, colors), authentication tokens, license data, and export usage count locally in the browser. No data leaves the browser via this permission.
downloads	Used to save the generated export file (PDF, DOCX, XLSX) directly to the user's device.
identity (Google OAuth)	Used only when the user explicitly chooses to export to Google Docs or Gmail. Triggers the Google OAuth login flow. Not used unless the user initiates a Google export.
host_permissions – chatgpt.com, claude.ai, gemini.google.com, grok.com, chat.deepseek.com	Required for the content script to run on supported AI chat pages in order to read and export conversations. The extension only reads page content when the user triggers an export action.
host_permissions – googleapis.com, api.notion.com	Required to call Google Docs / Gmail and Notion APIs when the user explicitly chooses those export destinations. Only activated by user action.
host_permissions – supabase.co	Required to communicate with the backend for authentication, license validation, and quota management.

7. Third-Party Export Integrations

If users choose to export content to external platforms such as Google Docs, Gmail, or Notion, the exported data will be processed according to the privacy policies of those respective services. These integrations require explicit user authorization via OAuth and can be revoked at any time from within the extension settings or from the respective service's account security settings.

8. Data Retention

User account data (email, export count, last export timestamp) is retained while the account is active
License and subscription information is retained until license expiry plus 90 days for dispute resolution
IP address and installation logs are automatically deleted after 30 days
Device fingerprints are retained as long as the associated account or anonymous session is active, and deleted upon account deletion
Authentication tokens (JWT) are stored locally and cleared upon logout
OAuth tokens (Google, Notion) are stored locally and cleared when the user disconnects the integration
The anonymous client UUID persists until the extension is uninstalled or Chrome storage is cleared

Users may request deletion of their account and all associated data by contacting support. We will process deletion requests within 30 days.

9. Legal Basis for Processing

We process user personal data on the following legal grounds:

User Consent – for account registration, email communications, and OAuth integrations (Google, Notion). Users provide consent at the point of registration or when connecting third-party services.
Contractual Necessity – for license activation, subscription management, and quota enforcement, which are required to deliver the paid service the user has purchased.
Legitimate Interests – for fraud and abuse prevention (device fingerprinting, IP tracking, install recording), to protect the service from misuse and maintain fair access for all users.

10. Security

We implement reasonable technical and organizational security measures to protect user data from unauthorized access or disclosure, including:

HTTPS/TLS encryption for all data in transit
Encryption at rest for all data stored in Supabase
Row Level Security (RLS) policies to restrict database access
Bcrypt password hashing (managed by Supabase Auth)
Device fingerprint hashing (raw browser attributes are never stored)
No third-party analytics or tracking scripts

11. User Rights & Account Deletion

Users have the right to:

Access personal data we hold about them
Request correction of inaccurate data
Request deletion of their account and all associated data
Withdraw consent by uninstalling the extension at any time (which clears all locally stored data)
Revoke Google or Notion OAuth access at any time
Request a copy of their data in a portable format

How to Delete Your Account

You can request full account deletion using any of the following methods:

Email: Send a deletion request to support@securedgateway.link with the subject line "Account Deletion Request" and your registered email address. We will delete all associated data within 30 days.
Uninstall: Uninstalling the extension immediately clears all locally stored data (tokens, preferences, license info) from your browser.
Revoke OAuth: To revoke Google access, visit myaccount.google.com/permissions. To revoke Notion access, visit your Notion account's Connected Apps settings.

To exercise any of your data rights, contact us at support@securedgateway.link.

12. Children's Privacy

This extension is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13.

13. Changes to This Policy

This privacy policy may be updated periodically. Changes will be reflected by updating the "Last Updated" date at the top of this page. Continued use of the extension after changes constitutes acceptance of the updated policy.

14. Developer Information

This extension is developed and operated by:

Developer: Nguyen Xuan Thao
Location: Hanoi, Vietnam
Email: support@securedgateway.link
Website: https://securedgateway.link

This extension is an independent tool and is not affiliated with, endorsed by, or sponsored by OpenAI, Anthropic, Google, xAI, or DeepSeek.

15. Device Fingerprinting Statement

This extension uses a hashed device fingerprint derived from browser attributes (User-Agent, language, platform, screen resolution, color depth, timezone, CPU cores) for the sole purpose of fraud prevention and license abuse detection.

Device fingerprinting is NOT used for:

Tracking users across websites
Advertising or behavioral profiling
Any purpose other than detecting reinstalls to bypass free export limits

The raw browser attributes are never stored. Only the resulting one-way hash is sent to our backend.

16. Contact

If you have questions regarding this privacy policy or wish to exercise your data rights:

Email: support@securedgateway.link
Website: https://securedgateway.link